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Foreword 


ISO (the International Organization for Standardization) is a worldwide federation of national standards 
bodies (ISO member bodies). The work of preparing International Standards is normally carried out 
through ISO technical committees. Each member body interested in a subject for which a technical 
committee has been established has the right to be represented on that committee. International 
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. 
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of 
electrotechnical standardization. 


The procedures used to develop this document and those intended for its further maintenance are 
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the 
different types of ISO documents should be noted. This document was drafted in accordance with the 
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). 


Attention is drawn to the possibility that some of the elements of this document may be the subject of 
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of 
any patent rights identified during the development of the document will be in the Introduction and/or 
on the ISO list of patent declarations received (see www.iso.org/patents). 


Any trade name used in this document is information given for the convenience of users and does not 
constitute an endorsement. 


For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, 
as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the 
Technical Barriers to Trade (TBT) see the following URL: ww w.iso.org/iso/foreword.html. 


The committee responsible for this document is Technical Committee ISO/TC 176, Quality management 
and quality assurance, Subcommittee SC 2, Quality systems. 


This fifth edition cancels and replaces the fourth edition (ISO 9001:2008), which has been technically 
revised, through the adoption of a revised clause sequence and the adaptation of the revised quality 
management principles and of new concepts. It also cancels and replaces the Technical Corrigendum 
ISO 9001:2008/Cor.1:2009. 
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Introduction 


0.1 General 


The adoption of a quality management system is a strategic decision for an organization that can help 
to improve its overall performance and provide a sound basis for sustainable development initiatives. 


The potential benefits to an organization of implementing a quality management system based on this 
International Standard are: 


a) the ability to consistently provide products and services that meet customer and applicable 
statutory and regulatory requirements; 


b) facilitating opportunities to enhance customer satisfaction; 

c) addressing risks and opportunities associated with its context and objectives; 

d) theability to demonstrate conformity to specified quality management system requirements. 
This International Standard can be used by internal and external parties. 

Itis notthe intent of this International Standard to imply the need for: 

— uniformity in the structure of different quality management systems; 

— alignment of documentation to the clause structure of this International Standard; 

— theuse ofthe specific terminology of this International Standard within the organization. 


The quality management system requirements specified in this International Standard are 
complementary to requirements for products and services. 


This International Standard employs the process approach, which incorporates the Plan-Do-Check-Act 
(PDCA) cycle and risk-based thinking. 


The process approach enables an organization to plan its processes and their interactions. 


The PDCA cycle enables an organization to ensure that its processes are adequately resourced and 
managed, and that opportunities for improvement are determined and acted on. 


Risk-based thinking enables an organization to determine the factors that could cause its processes and 
its quality management system to deviate from the planned results, to put in place preventive controls 
to minimize negative effects and to make maximum use of opportunities as they arise (see Clause A.4). 


Consistently meeting requirements and addressing future needs and expectations poses a challenge 
for organizations in an increasingly dynamic and complex environment. To achieve this objective, the 
organization might find it necessary to adopt various forms of improvement in addition to correction 
and continual improvement, such as breakthrough change, innovation and re-organization. 


In this International Standard, the following verbal forms are used: 
— “shall” indicates a requirement; 

— “should” indicates a recommendation; 

— "may" indicates a permission; 

— ‘can’ indicates a possibility or a capability. 


Information marked as "NOTE" is for guidance in understanding or clarifying the associated requirement. 
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0.2 Quality management principles 


This International Standard is based on the quality management principles described in ISO 9000. The 
descriptions include a statement of each principle, a rationale of why the principle is important for the 
organization, some examples of benefits associated with the principle and examples of typical actions 
to improve the organization's performance when applying the principle. 


The quality management principles are: 
— customer focus; 
— leadership; 
;— engagement of people; 
! — process approach; 
: — improvement; 
: —  evidence-based decision making; 
= relationship management. 
0.3 Process approach 
0.3.1 General 


This International Standard promotes the adoption of a process approach when developing, 
implementing and improving the effectiveness of a quality management system, to enhance customer 
satisfaction by meeting customer requirements. Specific requirements considered essential to the 
adoption of a process approach are included in 4.4. 


Understanding and managing interrelated processes as a system contributes to the organization’s 
effectiveness and efficiency in achieving its intended results. This approach enables the organization 
to control the interrelationships and interdependencies among the processes of the system, so that the 
overall performance of the organization can be enhanced. 


The process approach involves the systematic definition and management of processes, and their 
interactions, so as to achieve the intended results in accordance with the quality policy and strategic 
direction of the organization. Management of the processes and the system as a whole can be achieved 
using the PDCA cycle (see 0.3.2) with an overall focus on risk-based thinking (see 0.3.3) aimed at taking 
advantage of opportunities and preventing undesirable results. 


The application of the process approach in a quality management system enables: 
a) understanding and consistency in meeting requirements; 

b) the consideration of processes in terms of added value; 

c) the achievement of effective process performance; 

d) improvement of processes based on evaluation of data and information. 


Figure 1 gives a schematic representation of any process and shows the interaction of its elements. The 
monitoring and measuring check points, which are necessary for control, are specific to each process 
and will vary depending on the related risks. 
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Figure 1 — Schematic representation of the elements of a single process 


0.3.2 Plan-Do-Check-Act cycle 


The PDCA cycle can be applied to all processes and to the quality management system as a whole. 
Figure 2 illustrates how Clauses 4 to 10 can be grouped in relation to the PDCA cycle. 
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Figure 2 — Representation of the structure of this International Standard in the PDCA cycle 
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The PDCA cycle can be briefly described as follows: 


— Plan: establish the objectives of the system and its processes, and the resources needed to deliver 
results in accordance with customers' requirements and the organization's policies, and identify 
and address risks and opportunities; 


— Do: implement what was planned; 


— Check: monitor and (where applicable) measure processes and the resulting products and services 
against policies, objectives, requirements and planned activities, and report the results; 


— Act: take actions to improve performance, as necessary. 
0.3.3 Risk-based thinking 


Risk-based thinking (see Clause A.4) is essential for achieving an effective quality management system. 
The concept of risk-based thinking has been implicit in previous editions of this International Standard 
including, for example, carrying out preventive action to eliminate potential nonconformities, analysing 
any nonconformities that do occur, and taking action to prevent recurrence that is appropriate for the 
effects of the nonconformity. 


To conform to the requirements of this International Standard, an organization needs to plan and 
implement actions to address risks and opportunities. Addressing both risks and opportunities 
establishes a basis for increasing the effectiveness of the quality management system, achieving 
improved results and preventing negative effects. 


Opportunities can arise as a result of a situation favourable to achieving an intended result, for 
example, a set of circumstances that allow the organization to attract customers, develop new products 
and services, reduce waste or improve productivity. Actions to address opportunities can also include 
consideration of associated risks. Risk is the effect of uncertainty and any such uncertainty can have 
positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not 
all positive effects of risk result in opportunities. 


0.4 Relationship with other management system standards 


This International Standard applies the framework developed by ISO to improve alignment among its 
International Standards for management systems (see Clause A.1). 


This International Standard enables an organization to use the process approach, coupled with the 
PDCA cycle and risk-based thinking, to align or integrate its quality management system with the 
requirements of other management system standards. 


This International Standard relates to ISO 9000 and ISO 9004 as follows: 


— ISO 9000 Quality management systems — Fundamentals and vocabulary provides essential 
background for the proper understanding and implementation of this International Standard; 


— ISO 9004 Managing for the sustained success of an organization — A quality management approach 
provides guidance for organizations that choose to progress beyond the requirements of this 
International Standard. 


Annex B provides details of other International Standards on quality management and quality 
management systems that have been developed by ISO/TC 176. 


This International Standard does not include requirements specific to other management systems, 
such as those for environmental management, occupational health and safety management, or 
financial management. 


Sector-specific quality management system standards based on the requirements of this International 
Standard have been developed for a number of sectors. Some of these standards specify additional 
quality management system requirements, while others are limited to providing guidance to the 
application of this International Standard within the particular sector. 
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A matrix showing the correlation between the clauses of this edition of this International Standard and 
the previous edition (ISO 9001:2008) can be found on the ISO/TC 176/SC 2 open access web site at: 
www.iso.org/tc176/sc02/public. 
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Quality management systems — Requirements 


1 Scope 


This International Standard specifies requirements for a quality management system when an 
organization: 


a) needs to demonstrate its ability to consistently provide products and services that meet customer 
and applicable statutory and regulatory requirements, and 


b) aims to enhance customer satisfaction through the effective application of the system, including 
processes for improvement of the system and the assurance of conformity to customer and 
applicable statutory and regulatory requirements. 


All the requirements of this International Standard are generic and are intended to be applicable to any 
organization, regardless of its type or size, or the products and services it provides. 


NOTE1  Inthis International Standard, the terms "product" or "service" only apply to products and services 
intended for, or required by, a customer. 


NOTE2 Statutory and regulatory requirements can be expressed as legal requirements. 


2 Normative references 


The following documents, in whole or in part, are normatively referenced in this document and are 
indispensable for its application. For dated references, only the edition cited applies. For undated 
references, the latest edition of the referenced document (including any amendments) applies. 


ISO 9000:2015, Quality management systems — Fundamentals and vocabulary 


3 Terms and definitions 


For the purposes of this document, the terms and definitions given in ISO 9000:2015 apply. 


4 Context of the organization 


4.1 Understanding the organization and its context 


The organization shall determine external and internal issues that are relevant to its purpose 
and its strategic direction and that affect its ability to achieve the intended result(s) of its quality 
management system. 


The organization shall monitor and review information about these external and internal issues. 
:NOTE1 Issues can include positive and negative factors or conditions for consideration. 


:NOTE 2 Understanding the external context can be facilitated by considering issues arising from legal, 
:technological, competitive, market, cultural, social and economic environments, whether international, national, 
-regional or local. 


“NOTE 3 Understanding the internal context can be facilitated by considering issues related to values, culture, 
‘knowledge and performance of the organization. 
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4.2 Understanding the needs and expectations of interested parties 


Due to their effect or potential effect on the organization's ability to consistently provide products and 
services that meet customer and applicable statutory and regulatory requirements, the organization 
shall determine: 


a) theinterested parties that are relevant to the quality management system; 
b) the requirements of these interested parties that are relevant to the quality management system. 


The organization shall monitor and review information about these interested parties and their 
relevant requirements. 


4.3 Determining the scope of the quality management system 


The organization shall determine the boundaries and applicability of the quality management system 
to establish its scope. 


When determining this scope, the organization shall consider: 


a) the external and internal issues referred to in 4.1; 


b) therequirements of relevant interested parties referred to in 4.2; 
c) the products and services of the organization. 


The organization shall apply all the requirements of this International Standard if they are applicable 
within the determined scope of its quality management system. 


The scope of the organization's quality management system shall be available and be maintained as 
documented information. The scope shall state the types of products and services covered, and provide 
justification for any requirement of this International Standard that the organization determines is not 
applicable to the scope of its quality management system. 


Conformity to this International Standard may only be claimed if the requirements determined as not 
being applicable do not affect the organization's ability or responsibility to ensure the conformity of its 
products and services and the enhancement of customer satisfaction. 


4.4 Quality management system and its processes 


4.4.1 The organization shall establish, implement, maintain and continually improve a quality 
management system, including the processes needed and their interactions, in accordance with the 
requirements of this International Standard. 


The organization shall determine the processes needed for the quality management system and their 
application throughout the organization, and shall: 


a) determine the inputs required and the outputs expected from these processes; 
b) determine the sequence and interaction of these processes; 


c) determine and apply the criteria and methods (including monitoring, measurements and related 
performance indicators) needed to ensure the effective operation and control of these processes; 


d) determine the resources needed for these processes and ensure their availability; 
e) assign the responsibilities and authorities for these processes; 


f) addressthe risks and opportunities as determined in accordance with the requirements of 6.1; 


g) evaluate these processes and implement any changes needed to ensure that these processes achieve 
their intended results; 
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h) improve the processes and the quality management system. 


4.4.2 To the extent necessary, the organization shall: 
a) maintain documented information to support the operation of its processes; 


b) retain documented information to have confidence that the processes are being carried out as 
planned. 


5 Leadership 
5.1 Leadership and commitment 


5.1.4 General 


Top management shall demonstrate leadership and commitment with respect to the quality 
management system by: 


a) taking accountability for the effectiveness of the quality management system; 


b) ensuring that the quality policy and quality objectives are established for the quality management 
system and are compatible with the context and strategic direction of the organization; 


c) ensuring the integration of the quality management system requirements into the organization’s 
business processes; 


d) promoting the use of the process approach and risk-based thinking; 
e) ensuring that the resources needed for the quality management system are available; 


f) communicating the importance of effective quality management and of conforming to the quality 
management system requirements; 


g) ensuring that the quality management system achieves its intended results; 


h) engaging, directing and supporting persons to contribute to the effectiveness of the quality 
management system; 


i) promoting improvement; 


j) supporting other relevant management roles to demonstrate their leadership as it applies to their 
areas of responsibility. 


NOTE Reference to “business” in this International Standard can be interpreted broadly to mean those 
activities that are core to the purposes of the organization’s existence, whether the organization is public, private, 
for profit or not for profit. 


5.1.2 Customer focus 


Top management shall demonstrate leadership and commitment with respect to customer focus by 
ensuring that: 


a) customer and applicable statutory and regulatory requirements are determined, understood and 
consistently met; 


b) the risks and opportunities that can affect conformity of products and services and the ability to 
enhance customer satisfaction are determined and addressed; 


c) the focus on enhancing customer satisfaction is maintained. 
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5.2 Policy 


5.2.1 Establishing the quality policy 

Top management shall establish, implement and maintain a quality policy that: 

a) isappropriate to the purpose and context of the organization and supports its strategic direction; 
b) provides a framework for setting quality objectives; 

c) includes a commitment to satisfy applicable requirements; 


d) includes a commitment to continual improvement of the quality management system. 


5.2.2 Communicating the quality policy 

The quality policy shall: 

a) beavailable and be maintained as documented information; 

b) be communicated, understood and applied within the organization; 


c) be available to relevant interested parties, as appropriate. 


5.3 Organizational roles, responsibilities and authorities 


Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, 
communicated and understood within the organization. 


Top management shall assign the responsibility and authority for: 


a) ensuring that the quality management system conforms to the requirements of this 
International Standard; 


b) ensuring that the processes are delivering their intended outputs; 


c) reporting on the performance of the quality management system and on opportunities for 
improvement (see 10.1), in particular to top management; 


d) ensuring the promotion of customer focus throughout the organization; 


e) ensuring that the integrity of the quality management system is maintained when changes to the 
quality management system are planned and implemented. 


6 Planning 
6.1 Actions to address risks and opportunities 


6.1.1 When planning for the quality management system, the organization shall consider the issues 
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that 
need to be addressed to: 


a) give assurance that the quality management system can achieve its intended result(s); 
b) enhance desirable effects; 
c) prevent, or reduce, undesired effects; 


d) achieve improvement. 
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6.1.2 The organization shall plan: 

a) actions to address these risks and opportunities; 

b) howto: 
1) integrate and implement the actions into its quality management system processes (see 4.4); 
2) evaluate the effectiveness of these actions. 


Actions taken to address risks and opportunities shall be proportionate to the potential impact on the 
conformity of products and services. 


NOTE1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, 
eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by 
informed decision. 

NOTE2 Opportunities can lead to the adoption of new practices, launching new products, opening new 


markets, addressing new customers, building partnerships, using new technology and other desirable and viable 
possibilities to address the organization's or its customers' needs. 


6.2 Quality objectives and planning to achieve them 


6.2.1 The organization shall establish quality objectives at relevant functions, levels and processes 
needed for the quality management system. 


The quality objectives shall: 

a) be consistent with the quality policy; 

b) bemeasurable; 

C) take into account applicable requirements; 

d) berelevant to conformity of products and services and to enhancement of customer satisfaction; 
e) be monitored; 

f) be communicated; 

g) beupdated as appropriate. 


The organization shall maintain documented information on the quality objectives. 


6.2.2 When planning how to achieve its quality objectives, the organization shall determine: 
a) what will be done; 

b) what resources will be required; 

c) who will be responsible; 

d) when it will be completed; 


e) how the results will be evaluated. 


6.3 Planning of changes 


When the organization determines the need for changes to the quality management system, the changes: 
shall be carried out in a planned manner (see 4.4). 
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The organization shall consider: 

a) the purpose ofthe changes and their potential consequences; 
b) theintegrity ofthe quality management system; 

c) theavailability of resources; 


d) the allocation or reallocation of responsibilities and authorities. 


7 Support 
7.1 Resources 


7.1.4 General 


The organization shall determine and provide the resources needed for the establishment, 
implementation, maintenance and continual improvement of the quality management system. 


The organization shall consider: 
a) the capabilities of, and constraints on, existing internal resources; 


b) whatneeds to be obtained from external providers. 


7.1.2 People 


The organization shall determine and provide the persons necessary for the effective implementation 
of its quality management system and for the operation and control of its processes. 


7.1.3 Infrastructure 


The organization shall determine, provide and maintain the infrastructure necessary for the operation 
of its processes and to achieve conformity of products and services. 


NOTE Infrastructure can include: 

a) buildings and associated utilities; 

b) equipment, including hardware and software; 
c) transportation resources; 


d) information and communication technology. 


7.1.4 Environment for the operation of processes 


The organization shall determine, provide and maintain the environment necessary for the operation 
of its processes and to achieve conformity of products and services. 


NOTE A suitable environment can be a combination of human and physical factors, such as: 
a) social (e.g. non-discriminatory, calm, non-confrontational); 

b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective); 

C) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise). 


These factors can differ substantially depending on the products and services provided. 
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7.1.5 Monitoring and measuring resources 


7.1.5.1 General 


The organization shall determine and provide the resources needed to ensure valid and reliable 
results when monitoring or measuring is used to verify the conformity of products and services to 
requirements. 


The organization shall ensure that the resources provided: 
a) are suitable for the specific type of monitoring and measurement activities being undertaken; 
b) are maintained to ensure their continuing fitness for their purpose. 


The organization shall retain appropriate documented information as evidence of fitness for purpose of 
the monitoring and measurement resources. 


7.1.5.2 Measurement traceability 


When measurement traceability is a requirement, or is considered by the organization to be an essential 
part of providing confidence in the validity of measurement results, measuring equipment shall be: 


a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards 
traceable to international or national measurement standards; when no such standards exist, the 
basis used for calibration or verification shall be retained as documented information; 


b) identified in order to determine their status; 


c) safeguarded from adjustments, damage or deterioration that would invalidate the calibration 
status and subsequent measurement results. 


The organization shall determine if the validity of previous measurement results has been adversely 
affected when measuring equipment is found to be unfit for its intended purpose, and shall take 
appropriate action as necessary. 


7.1.6 Organizational knowledge 


The organization shall determine the knowledge necessary for the operation of its processes and to 
achieve conformity of products and services. 


This knowledge shall be maintained and be made available to the extent necessary. 


When addressing changing needs and trends, the organization shall consider its current knowledge 
and determine how to acquire or access any necessary additional knowledge and required updates. 


NOTE1 Organizational knowledge is knowledge specific to the organization; it is generally gained by 
experience. It is information that is used and shared to achieve the organization’s objectives. 


NOTE2 Organizational knowledge can be based on: 


a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from 
failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of 
improvements in processes, products and services); 


b) external sources (e.g. standards; academia; conferences; gathering knowledge from customers or 
external providers). 
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7.2 Competence 
The organization shall: 


3) determine the necessary competence of person(s) doing work under its control that affects the 
performance and effectiveness ofthe quality management system; 


b) ensure that these persons are competent on the basis of appropriate education, training, or 
experience; 


c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness 
of the actions taken; 


d) retain appropriate documented information as evidence of competence. 


NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the re- 
assignment of currently employed persons; or the hiring or contracting of competent persons. 


7.3 Awareness 

The organization shall ensure that persons doing work under the organization's control are aware of: 
a) thequality policy; 

b) relevant quality objectives; 


c) their contribution to the effectiveness of the quality management system, including the benefits of 
improved performance; 


d) theimplications of not conforming with the quality management system requirements. 


7.4 Communication 


The organization shall determine the internal and external communications relevant to the quality 
management system, including: 


a) onwhatit will communicate; 
b) whento communicate; 

c) with whom to communicate; 
d) howto communicate; 


e) who communicates. 
7.5 Documented information 


7.5.4 General 
The organization's quality management system shall include: 
a) documented information required by this International Standard; 


b) documented information determined by the organization as being necessary for the effectiveness 
of the quality management system. 


NOTE The extent of documented information for a quality management system can differ from one 
organization to another due to: 


— the size of organization and its type of activities, processes, products and services; 


Copyright International Organization for Standardization © ISO 201 5- All rights reserved 


Provided by IHS under license with ISO Licensee-Hong Kong Polytechnic University/9976803100 
No reproduction or networking permitted without license from IHS Not for Resale, 09/22/2015 23:56:01 MDT 


ISO 9001:2015(E) 


— the complexity of processes and their interactions; 


— the competence of persons. 


7.5.2 Creating and updating 

When creating and updating documented information, the organization shall ensure appropriate: 
a) identification and description (e.g. a title, date, author, or reference number); 

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); 


C) review and approval for suitability and adequacy. 
7.5.3 Control of documented information 


7.5.3.1 Documented information required by the quality management system and by this International 
Standard shall be controlled to ensure: 


a) itis available and suitable for use, where and when it is needed; 


b) itis adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 


7.5.3.2. For the control of documented information, the organization shall address the following 
activities, as applicable: 


a) distribution, access, retrieval and use; 

b) storage and preservation, including preservation of legibility; 
c) control of changes (e.g. version control); 

d) retention and disposition. 


Documented information of external origin determined by the organization to be necessary for the 
planning and operation of the quality management system shall be identified as appropriate, and 
be controlled. 


Documented information retained as evidence of conformity shall be protected from unintended 
alterations. 


NOTE Access can imply a decision regarding the permission to view the documented information only, or 


the permission and authority to view and change the documented information. 


8 Operation 


8.1 Operational planning and control 


The organization shall plan, implement and control the processes (see 4.4) needed to meet the 
requirements for the provision of products and services, and to implement the actions determined in 
Clause 6, by: 


a) determining the requirements for the products and services; 
b) establishing criteria for: 

1) the processes; 

2) theacceptance of products and services; 


c) determining the resources needed to achieve conformity to the product and service requirements; 
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d) implementing control of the processes in accordance with the criteria; 

e) determining, maintaining and retaining documented information to the extent necessary: 
1) tohave confidence that the processes have been carried out as planned; 
2) todemonstrate the conformity of products and services to their requirements. 

The output of this planning shall be suitable for the organization's operations. 


The organization shall control planned changes and review the consequences of unintended changes, 
taking action to mitigate any adverse effects, as necessary. 


The organization shall ensure that outsourced processes are controlled (see 8.4). 
8.2 Requirements for products and services 


8.2.1 Customer communication 

Communication with customers shall include: 

a) providing information relating to products and services; 

b) handling enquiries, contracts or orders, including changes; 

C) obtaining customer feedback relating to products and services, including customer complaints; 
d) handling or controlling customer property; 


e) establishing specific requirements for contingency actions, when relevant. 


8.2.2 Determining the requirements for products and services 


When determining the requirements for the products and services to be offered to customers, the 
organization shall ensure that: 


a) therequirements for the products and services are defined, including: 
1) any applicable statutory and regulatory requirements; 
2) those considered necessary by the organization; 


b) theorganization can meet the claims for the products and services it offers. 
8.2.3 Review of the requirements for products and services 


8.2.3.1 The organization shall ensure that it has the ability to meet the requirements for products and 
services to be offered to customers. The organization shall conduct a review before committing to supply 
products and services to a customer, to include: 


3) requirements specified by the customer, including the requirements for delivery and post- 
delivery activities; 


b) requirements not stated by the customer, but necessary for the specified or intended use, when 
known; 


C) requirements specified by the organization; 
d) statutory and regulatory requirements applicable to the products and services; 


e) contract or order requirements differing from those previously expressed. 
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The organization shall ensure that contract or order requirements differing from those previously 
defined are resolved. 


The customer's requirements shall be confirmed by the organization before acceptance, when the 
customer does not provide a documented statement of their requirements. 


NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead, the 
review can cover relevant product information, such as catalogues. 


8.2.3.2 The organization shall retain documented information, as applicable: 
a) onthe results of the review; 


b) on any new requirements for the products and services. 


8.2.4 Changes to requirements for products and services 


The organization shall ensure that relevant documented information is amended, and that relevant 
persons are made aware of the changed requirements, when the requirements for products and 
services are changed. 


8.3 Design and development of products and services 


8.3.1 General 


The organization shall establish, implement and maintain a design and development process that is 
appropriate to ensure the subsequent provision of products and services. 


8.3.2 Design and development planning 

In determining the stages and controls for design and development, the organization shall consider: 

a) the nature, duration and complexity of the design and development activities; 

b) the required process stages, including applicable design and development reviews; 

c) therequired design and development verification and validation activities; 

d) the responsibilities and authorities involved in the design and development process; 

e) the internal and external resource needs for the design and development of products and services; 
f) the need to control interfaces between persons involved in the design and development process; 
g) the need for involvement of customers and users in the design and development process; 

h) therequirements for subsequent provision of products and services; 


i) the level of control expected for the design and development process by customers and other 
relevant interested parties; 


j) the documented information needed to demonstrate that design and development requirements 
have been met. 


8.3.3 Design and development inputs 


The organization shall determine the requirements essential for the specific types of products and 
services to be designed and developed. The organization shall consider: 


a) functional and performance requirements; 
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b) information derived from previous similar design and development activities; 

C) statutory and regulatory requirements; 

d) standards or codes of practice that the organization has committed to implement; 

e) potential consequences of failure due to the nature of the products and services. 

Inputs shall be adequate for design and development purposes, complete and unambiguous. 
Conflicting design and development inputs shall be resolved. 


The organization shall retain documented information on design and development inputs. 


8.3.4 Design and development controls 
The organization shall apply controls to the design and development process to ensure that: 
a) theresults to be achieved are defined; 


b) reviews are conducted to evaluate the ability of the results of design and development to meet 
requirements; 


C) verification activities are conducted to ensure that the design and development outputs meet the 
input requirements; 


d) validation activities are conducted to ensure that the resulting products and services meet the 
requirements for the specified application or intended use; 


e) any necessary actions are taken on problems determined during the reviews, or verification and 
validation activities; 


f) documented information of these activities is retained. 


NOTE Design and development reviews, verification and validation have distinct purposes. They can be 
conducted separately or in any combination, as is suitable for the products and services of the organization. 


8.3.5 Design and development outputs 

The organization shall ensure that design and development outputs: 

a) meetthe input requirements; 

b) areadequate for the subsequent processes for the provision of products and services; 

c) include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria; 


d) specify the characteristics ofthe products and services that are essential for their intended purpose 
and their safe and proper provision. 


The organization shall retain documented information on design and development outputs. 


8.3.6 Design and development changes 


The organization shall identify, review and control changes made during, or subsequent to, the design 
and development of products and services, to the extent necessary to ensure that there is no adverse 
impact on conformity to requirements. 


The organization shall retain documented information on: 
a) design and development changes; 


b) theresults of reviews; 
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c) the authorization of the changes; 


d) the actions taken to prevent adverse impacts. 
8.4 Control of externally provided processes, products and services 


8.4.1 General 


The organization shall ensure that externally provided processes, products and services conform to 
requirements. 


The organization shall determine the controls to be applied to externally provided processes, products 
and services when: 


a) products and services from external providers are intended for incorporation into the organization's 
own products and services; 


b) products and services are provided directly to the customer(s) by external providers on behalf of 
the organization; 


C) a process, or part of a process, is provided by an external provider as a result of a decision by the 
organization. 


The organization shall determine and apply criteria for the evaluation, selection, monitoring of 
performance, and re-evaluation of external providers, based on their ability to provide processes or 
products and services in accordance with requirements. The organization shall retain documented 
information of these activities and any necessary actions arising from the evaluations. 


:8.4.2. Type and extent of control 


"The organization shall ensure that externally provided processes, products and services do not 
:adversely affect the organization's ability to consistently deliver conforming products and services to 
zits customers. 


"The organization shall: 


3) ensure that externally provided processes remain within the control of its quality management 
system; 


b) define both the controls that it intends to apply to an external provider and those it intends to apply 
to the resulting output; 


C) take into consideration: 


1) the potential impact of the externally provided processes, products and services on the 
organization's ability to consistently meet customer and applicable statutory and regulatory 
requirements; 


2) the effectiveness of the controls applied by the external provider; 


d) determine the verification, or other activities, necessary to ensure that the externally provided 
processes, products and services meet requirements. 


8.4.3 Information for external providers 


The organization shall ensure the adequacy of requirements prior to their communication to the 
external provider. 


The organization shall communicate to external providers its requirements for: 


a) the processes, products and services to be provided; 
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b) the approval of: 
1) products and services; 
2) methods, processes and equipment; 
3) therelease of products and services; 
C) competence, including any required qualification of persons; 
d) the external providers' interactions with the organization; 
e) control and monitoring of the external providers’ performance to be applied by the organization; 


f) verification or validation activities that the organization, or its customer, intends to perform at the 
external providers' premises. 


8.5 Production and service provision 


8.5.1 Control of production and service provision 

The organization shall implement production and service provision under controlled conditions. 
Controlled conditions shall include, as applicable: 

a) theavailability of documented information that defines: 


1) thecharacteristics of the products to be produced, the services to be provided, or the activities 
to be performed; 


2) theresults to be achieved; 
b) theavailability and use of suitable monitoring and measuring resources; 


c) theimplementation of monitoring and measurement activities at appropriate stages to verify that 
criteria for control of processes or outputs, and acceptance criteria for products and services, 
have been met; 


d) theuse of suitable infrastructure and environment for the operation of processes; 
e) the appointment of competent persons, including any required qualification; 


f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes 
for production and service provision, where the resulting output cannot be verified by subsequent 
monitoring or measurement; 


g) theimplementation of actions to prevent human error; 


h) theimplementation of release, delivery and post-delivery activities. 


8.5.2 Identification and traceability 


The organization shall use suitable means to identify outputs when it is necessary to ensure the 
conformity of products and services. 


The organization shall identify the status of outputs with respect to monitoring and measurement 
requirements throughout production and service provision. 


The organization shall control the unique identification of the outputs when traceability is a 
requirement, and shall retain the documented information necessary to enable traceability. 
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8.5.3 Property belonging to customers or external providers 


The organization shall exercise care with property belonging to customers or external providers while 
itis under the organization's control or being used by the organization. 


The organization shall identify, verify, protect and safeguard customers' or external providers' property 
provided for use or incorporation into the products and services. 


When the property of a customer or external provider is lost, damaged or otherwise found to be 
unsuitable for use, the organization shall report this to the customer or external provider and retain 
documented information on what has occurred. 


NOTE A customer's or external provider's property can include materials, components, tools and equipment, 
premises, intellectual property and personal data. 


8.5.4 Preservation 


The organization shall preserve the outputs during production and service provision, to the extent 
; necessary to ensure conformity to requirements. 


NOTE Preservation can include identification, handling, contamination control, packaging, storage, 
transmission or transportation, and protection. 


| 8.5.5 Post-delivery activities 


| The organization shall meet requirements for post-delivery activities associated with the products 
and services. 


In determining the extent of post-delivery activities that are required, the organization shall consider: 
a) statutory and regulatory requirements; 

b) the potential undesired consequences associated with its products and services; 

c) the nature, use and intended lifetime of its products and services; 

d) customer requirements; 

e) customer feedback. 


NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations such 
as maintenance services, and supplementary services such as recycling or final disposal. 


8.5.6 Control of changes 


The organization shall review and control changes for production or service provision, to the extent 
necessary to ensure continuing conformity with requirements. 


The organization shall retain documented information describing the results of the review of changes, 
the person(s) authorizing the change, and any necessary actions arising from the review. 


8.6 Release of products and services 


The organization shall implement planned arrangements, at appropriate stages, to verify that the 
product and service requirements have been met. 


The release of products and services to the customer shall not proceed until the planned arrangements 
have been satisfactorily completed, unless otherwise approved by a relevant authority and, as 
applicable, by the customer. 
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The organization shall retain documented information on the release of products and services. The 
documented information shall include: 


a) evidence of conformity with the acceptance criteria; 


b) traceability to the person(s) authorizing the release. 
8.7 Control of nonconforming outputs 


8.7.4 The organization shall ensure that outputs that do not conform to their requirements are 
identified and controlled to prevent their unintended use or delivery. 


The organization shall take appropriate action based on the nature of the nonconformity and its effect 
on the conformity of products and services. This shall also apply to nonconforming products and 
services detected after delivery of products, during or after the provision of services. 


The organization shall deal with nonconforming outputs in one or more of the following ways: 
a) correction; 

b) segregation, containment, return or suspension of provision of products and services; 

c) informingthe customer; 

d) obtaining authorization for acceptance under concession. 


Conformity to the requirements shall be verified when nonconforming outputs are corrected. 


8.7.2 The organization shall retain documented information that: 
a) describes the nonconformity; 

b) describes the actions taken; 

C) describes any concessions obtained; 


d) identifies the authority deciding the action in respect of the nonconformity. 


9 Performance evaluation 


9.1 Monitoring, measurement, analysis and evaluation 


9.1.1 General 

The organization shall determine: 

a) whatneeds to be monitored and measured; 

b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results; 
c) whenthe monitoring and measuring shall be performed; 

d) when the results from monitoring and measurement shall be analysed and evaluated. 

The organization shall evaluate the performance and the effectiveness ofthe quality management system. 


The organization shall retain appropriate documented information as evidence of the results. 
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9.1.2 Customer satisfaction 


The organization shall monitor customers’ perceptions of the degree to which their needs and 
expectations have been fulfilled. The organization shall determine the methods for obtaining, 
monitoring and reviewing this information. 


NOTE Examples of monitoring customer perceptions can include customer surveys, customer feedback 


on delivered products and services, meetings with customers, market-share analysis, compliments, warranty 
claims and dealer reports. 


9.1.3 Analysis and evaluation 


The organization shall analyse and evaluate appropriate data and information arising from monitoring 
and measurement. 


The results of analysis shall be used to evaluate: 

a) conformity of products and services; 

b) the degree of customer satisfaction; 

c) the performance and effectiveness of the quality management system; 
d) if planning has been implemented effectively; 

e) the effectiveness of actions taken to address risks and opportunities; 
f) the performance of external providers; 

g) the need for improvements to the quality management system. 


NOTE Methods to analyse data can include statistical techniques. 
9.2 Internal audit 


9.2.1 The organization shall conduct internal audits at planned intervals to provide information on 
whether the quality management system: 


a) conforms to: 
1) theorganization's own requirements for its quality management system; 
2) the requirements of this International Standard; 


b) is effectively implemented and maintained. 


9.2.2 The organization shall: 


a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, 
responsibilities, planning requirements and reporting, which shall take into consideration the 
importance of the processes concerned, changes affecting the organization, and the results of 
previous audits; 


b) define the audit criteria and scope for each audit; 
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; 
d) ensure that the results of the audits are reported to relevant management; 


e) take appropriate correction and corrective actions without undue delay; 
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f) retain documented information as evidence of the implementation of the audit programme and the 
audit results. 


NOTE See ISO 19011 for guidance. 
9.3 Management review 


9.3.1 General 


Top management shall review the organization's quality management system, at planned intervals, to 
ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of 
the organization. 


9.3.2 Management review inputs 

The management review shall be planned and carried out taking into consideration: 

a) thestatus of actions from previous management reviews; 

b) changes in external and internal issues that are relevant to the quality management system; 


c) information on the performance and effectiveness of the quality management system, including 
trends in: 


1) customer satisfaction and feedback from relevant interested parties; 
2) theextent to which quality objectives have been met; 
3) process performance and conformity of products and services; 
4) nonconformities and corrective actions; 
5) monitoring and measurement results; 
6) audit results; 
7) the performance of external providers; 
d) the adequacy of resources; 
e) the effectiveness of actions taken to address risks and opportunities (see 6.1); 


f) opportunities for improvement. 


9.3.3 Management review outputs 

The outputs of the management review shall include decisions and actions related to: 
3) opportunities for improvement; 

b) any need for changes to the quality management system; 

C) resource needs. 


The organization shall retain documented information as evidence ofthe results of management reviews. 


10 " š 
Copyright International Organization for Standardization © ISO 201 5-All rights reserved 


Provided by IHS under license with ISO Licensee=Hong Kong Polytechnic University/9976803100 
No reproduction or networking permitted without license from IHS Not for Resale, 09/22/2015 23:56:01 MDT 


ISO 9001:2015(E) 


10 Improvement 


10.1 General 


The organization shall determine and select opportunities for improvement and implement any 
necessary actions to meet customer requirements and enhance customer satisfaction. 


These shall include: 


a) improving products and services to meet requirements as well as to address future needs and 
expectations; 


b) correcting, preventing or reducing undesired effects; 
c) improving the performance and effectiveness of the quality management system. 


NOTE Examples of improvement can include correction, corrective action, continual improvement, 
breakthrough change, innovation and re-organization. 


10.2 Nonconformity and corrective action 


10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall: 
a) reactto the nonconformity and, as applicable: 

1) take action to control and correct it; 

2) deal with the consequences; 


b) evaluate the need for action to eliminate the cause(s) ofthe nonconformity, in order that it does not 
recur or occur elsewhere, by: 


1) reviewing and analysing the nonconformity; 
2) determining the causes of the nonconformity; 
3) determining if similar nonconformities exist, or could potentially occur; 
c) implement any action needed; 
d) review the effectiveness of any corrective action taken; 
e) update risks and opportunities determined during planning, if necessary; 
f) make changes to the quality management system, if necessary. 


Corrective actions shall be appropriate to the effects of the nonconformities encountered. 


10.2.2 The organization shall retain documented information as evidence of: 
a) the nature ofthe nonconformities and any subsequent actions taken; 


b) theresults of any corrective action. 


10.3 Continual improvement 


The organization shall continually improve the suitability, adequacy and effectiveness of the quality 
‘management system. 
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The organization shall consider the results of analysis and evaluation, and the outputs from 
management review, to determine if there are needs or opportunities that shall be addressed as part of 
continual improvement. 
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Annex A 
(informative) 


Clarification of new structure, terminology and concepts 


A.1 Structure and terminology 


The clause structure (ie. clause sequence) and some of the terminology of this edition of this 
International Standard, in comparison with the previous edition (ISO 9001:2008), have been changed 
to improve alignment with other management systems standards. 


There is no requirement in this International Standard for its structure and terminology to be applied 
to the documented information of an organization's quality management system. 


The structure of clauses is intended to provide a coherent presentation of requirements, rather than a 
model for documenting an organization's policies, objectives and processes. The structure and content 
of documented information related to a quality management system can often be more relevant to its 
users if it relates to both the processes operated by the organization and information maintained for 
other purposes. 


There is no requirement for the terms used by an organization to be replaced by the terms used in this 
International Standard to specify quality management system requirements. Organizations can choose 
to use terms which suit their operations (e.g. using "records", "documentation" or "protocols" rather 
than "documented information"; or "supplier", "partner" or "vendor" rather than "external provider"). 
Table A.1 shows the major differences in terminology between this edition of this International 


Standard and the previous edition. 


Table A.1 — Major differences in terminology between ISO 9001:2008 and ISO 9001:2015 


ISO 9001:2008 ISO 9001:2015 i 


Products Products and services 


Exclusions Not used 


(See Clause A.5 for clarification of applicability) 


Management representative Not used 


(Similar responsibilities and authorities are assigned 
but no requirement for a single management repre- 
sentative) 


Documentation, quality manual, documented pro-|Documented information 
cedures, records 


Work environment Environment for the operation of processes 


Monitoring and measuring equipment Monitoring and measuring resources 


Purchased product Externally provided products and services 


Supplier External provider 


A.2 Products and services 


ISO 9001:2008 used the term “product” to include all output categories. This edition of this International 
Standard uses "products and services". "Products and services" include all output categories (hardware, 
services, software and processed materials). 
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The specific inclusion of "services" is intended to highlight the differences between products and 
services in the application of some requirements. The characteristic of services is that at least part of 
the output is realized at the interface with the customer. This means, for example, that conformity to 
requirements cannot necessarily be confirmed before service delivery. 


In most cases, products and services are used together. Most outputs that organizations provide to 
customers, or are supplied to them by external providers, include both products and services. For 
example, a tangible or intangible product can have some associated service or a service can have some 
associated tangible or intangible product. 


A.3 Understanding the needs and expectations of interested parties 


Subclause 4.2 specifies requirements for the organization to determine the interested parties that 
are relevant to the quality management system and the requirements of those interested parties. 
However, 4.2 does not imply extension of quality management system requirements beyond the scope 
of this International Standard. As stated in the scope, this International Standard is applicable where 
an organization needs to demonstrate its ability to consistently provide products and services that 
meet customer and applicable statutory and regulatory requirements, and aims to enhance customer 
satisfaction. 


There is no requirement in this International Standard for the organization to consider interested 
parties where it has decided that those parties are not relevant to its quality management system. It is 
for the organization to decide if a particular requirement of a relevant interested party is relevant to its 
quality management system. 


A.4 Risk-based thinking 


The concept of risk-based thinking has been implicit in previous editions ofthis International Standard, 
e.g. through requirements for planning, review and improvement. This International Standard 
specifies requirements for the organization to understand its context (see 4.1) and determine risks as 
a Basis for planning (see 6.1). This represents the application of risk-based thinking to planning and 
implementing quality management system processes (see 4.4) and will assist in determining the extent 
of documented information. 


One of the key purposes of a quality management system is to act as a preventive tool. Consequently, 
this International Standard does not have a separate clause or subclause on preventive action. The 
concept of preventive action is expressed through the use of risk-based thinking in formulating quality 
management system requirements. 


The risk-based thinking applied in this International Standard has enabled some reduction in 
prescriptive requirements and their replacement by performance-based requirements. There is greater 
flexibility than in ISO 9001:2008 in the requirements for processes, documented information and 
organizational responsibilities. 


Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement 
for formal methods for risk management or a documented risk management process. Organizations can 
decide whether or not to develop a more extensive risk management methodology than is required by 
this International Standard, e.g. through the application of other guidance or standards. 


Not all the processes of a quality management system represent the same level of risk in terms of the 
organization's ability to meet its objectives, and the effects of uncertainty are not the same for all 
organizations. Under the requirements of 6.1, the organization is responsible for its application of risk- 
based thinking and the actions it takes to address risk, including whether or not to retain documented 
information as evidence of its determination of risks. 
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A.5 Applicability 


This International Standard does not refer to "exclusions" in relation to the applicability of its 
requirements to the organization's quality management system. However, an organization can review 
the applicability of requirements due to the size or complexity of the organization, the management 
model it adopts, the range of the organization's activities and the nature of the risks and opportunities 
it encounters. 


The requirements for applicability are addressed in 4.3, which defines conditions under which an 
organization can decide that a requirement cannot be = to any of the processes within the scope 
of its quality management system. The organization can only decide that a requirement is not applicable 
if its decision will not result in failure to achieve conformity of products and services. 


A.6 Documented information 


As part of the alignment with other management system standards, a common clause on “documented 
information” has been adopted without significant change or addition (see 7.5). Where appropriate, 
text elsewhere in this International Standard has been aligned with its requirements. Consequently, 
“documented information” is used for all document requirements. 


Where ISO 9001:2008 used specific terminology such as “document” or “documented procedures”, 
"quality manual” or "quality plan", this edition of this International Standard defines requirements to 
"maintain documented information". 


Where ISO 9001:2008 used the term "records" to denote documents needed to provide evidence 
of conformity with requirements, this is now expressed as a requirement to "retain documented 
information". The organization is responsible for determining what documented information needs to 
be retained, the period of time for which itis to be retained and the media to be used for its retention. 


A requirement to "maintain" documented information does not exclude the possibility that the 
organization might also need to "retain" that same documented information for a particular purpose, 
e.g. to retain previous versions of it. 


Where this International Standard refers to "information" rather than "documented information" (e.g. in 
4.1: "The organization shall monitor and review the information aboutthese external and internalissues"), 
there is no requirement that this information is to be documented. In such situations, the organization 
can decide whether or not it is necessary or appropriate to maintain documented information. 


A.7 Organizational knowledge 


In 7.1.6, this International Standard addresses the need to determine and manage the ktowiedpe 
maintained by the organization, to ensure the operation of its processes and that it can achieve 
conformity of products and services. : 


Requirements regarding organizational knowledge were introduced for the purpose of: 
a) safeguarding the organization from loss of knowledge, e.g. 

— through staff turnover; 

— failure to capture and share information; 
b) encouraging the organization to acquire knowledge, e.g. 

— learning from experience; 

— mentoring; 


— benchmarking. 
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A.8 Control of externally provided processes, products and services 


All forms of externally provided processes, products and services are addressed in 8.4, e.g. whether 
through: 


a) purchasing from a supplier; 
b) anarrangement with an associate company; 
C) outsourcing processes to an external provider. 


Outsourcing always has the essential characteristic of a service, since it will have at least one activity 
necessarily performed at the interface between the provider and the organization. 


The controls required for external provision can vary widely depending on the nature of the processes, 
products and services. The organization can apply risk-based thinking to determine the type and extent 
of controls appropriate to particular external providers and externally provided processes, products 
and services. 
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Annex B 
(informative) 


Other International Standards on quality management and quality 
management systems developed by ISO/TC 176 


The International Standards described in this annex have been developed by ISO/TC 176 to provide 
supporting information for organizations that apply this International Standard, and to provide 
guidance for organizations that choose to progress beyond its requirements. Guidance or requirements 
contained in the documents listed in this annex do not add to, or modify, the requirements of this 
International Standard. 


Table B.1 shows the relationship between these standards and the relevant clauses of this 
International Standard. 


This annex does not include reference to the sector-specific quality management system standards 
developed by ISO/TC 176. 


This International Standard is one of the three core standards developed by ISO/TC 176. 


— ISO 9000 Quality management systems — Fundamentals and vocabulary provides an essential 
background for the proper understanding and implementation of this International Standard. 
The quality management principles are described in detail in ISO 9000 and have been taken into 
consideration during the development of this International Standard. These principles are not 
requirements in themselves, but they form the foundation of the requirements specified by this 
International Standard. ISO 9000 also defines the terms, definitions and concepts used in this 
International Standard. 


— ]S09001 (this International Standard) specifies requirements aimed primarily at giving confidence in 
the products and services provided by an organization and thereby enhancing customer satisfaction. 
Its proper implementation can also be expected to bring other organizational benefits, such as 
improved internal communication, better understanding and control ofthe organization's processes. 


— ISO 9004 Managing for the sustained success of an organization — A quality management approach 
provides guidance for organizations that choose to progress beyond the requirements of this 
International Standard, to address a broader range of topics that can lead to improvement of the 
organization's overall performance. ISO 9004 includes guidance on a self-assessment methodology 
for an organization to be able to evaluate the level of maturity of its quality management system. 


The International Standards outlined below can provide assistance to organizations when they are 
establishing or seeking to improve their quality management systems, their processes or their activities. 


— ISO 10001 Quality management — Customer satisfaction — Guidelines for codes of conduct for 
organizations provides guidance to an organization in determining that its customer satisfaction 
provisions meet customer needs and expectations. Its use can enhance customer confidence in an 
organization and improve customer understanding of what to expect from an organization, thereby 
reducing the likelihood of misunderstandings and complaints. 


— ISO 10002 Quality management — Customer satisfaction — Guidelines for complaints handling 
in organizations provides guidance on the process of handling complaints by recognizing and 
addressing the needs and expectations of complainants and resolving any complaints received. ; 
ISO 10002 provides an open, effective and easy-to-use complaints process, including training of: 
people. It also provides guidance for small businesses. : 


— ISO 10003 Quality management — Customer satisfaction — Guidelines for dispute resolution external : 
to organizations provides guidance for effective and efficient external dispute resolution for: 
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product-related complaints. Dispute resolution gives an avenue of redress when organizations 
do not remedy a complaint internally. Most complaints can be resolved successfully within the 
organization, without adversarial procedures. 


— ISO 10004 Quality management — Customer satisfaction — Guidelines for monitoring and measuring 
provides guidelines for actions to enhance customer satisfaction and to determine opportunities for 
improvement of products, processes and attributes that are valued by customers. Such actions can 
strengthen customer loyalty and help retain customers. 


— ISO 10005 Quality management systems — Guidelines for quality plans provides guidance on 
establishing and using quality plans as a means of relating requirements of the process, product, 
project or contract, to work methods and practices that support product realization. Benefits of 
establishing a quality plan are increased confidence that requirements will be met, that processes 
are in control and the motivation that this can give to those involved. 


— ISO 10006 Quality management systems — Guidelines for quality management in projects is applicable 
to projects from the small to large, from simple to complex, from an individual project to being part 
of a portfolio of projects. ISO 10006 is to be used by personnel managing projects and who need to 
ensure that their organization is applying the practices contained in the ISO quality management 
system standards. 


— ISO 10007 Quality management systems — Guidelines for configuration management is to assist 
organizations applying configuration management for the technical and administrative direction 
over the life cycle of a product. Configuration management can be used to meet the product 
identification and traceability requirements specified in this International Standard. 


— ISO 10008 Quality management — Customer satisfaction — Guidelines for business-to-consumer 
electronic commerce transactions gives guidance on how organizations can implement an effective 
and efficient business-to-consumer electronic commerce transaction (B2C ECT) system, and 
thereby provide a basis for consumers to have increased confidence in B2C ECTs, enhance the ability 
of organizations to satisfy consumers and help reduce complaints and disputes. 


— ISO 10012 Measurement management systems — Requirements for measurement processes and 
measuring equipment provides guidance for the management of measurement processes and 
metrological confirmation of measuring equipment used to support and demonstrate compliance 
with metrological requirements. ISO 10012 provides quality management criteria fora measurement 
management system to ensure metrological requirements are met. 


— ISO/TR 10013 Guidelines for quality management system documentation provides guidelines for 
the development and maintenance of the documentation necessary for a quality management 
system. ISO/TR 10013 can be used to document management systems other than those of the 
ISO quality management system standards, e.g. environmental management systems and safety 
management systems. 


— ISO 10014 Quality management — Guidelines for realizing financial and economic benefits is addressed 
to top management. It provides guidelines for realizing financial and economic benefits through the 
application of quality management principles. It facilitates application of management principles 
and selection of methods and tools that enable the sustainable success of an organization. 


— ISO 10015 Quality management — Guidelines for training provides guidelines to assist organizations 
in addressing issues related to training. ISO 10015 can be applied whenever guidance is required 
to interpret references to "education" and "training" within the ISO quality management system 
standards. Any reference to "training" includes all types of education and training. 


— ISO/TR 10017 Guidance on statistical techniques for ISO 9001:2000 explains statistical techniques 
which follow from the variability that can be observed in the behaviour and results of processes, 
even under conditions of apparent stability. Statistical techniques allow better use of available data 
to assist in decision making, and thereby help to continually improve the quality of products and 
processes to achieve customer satisfaction. 
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— ISO 10018 Quality management — Guidelines on people involvement and competence provides 
guidelines which influence people involvement and competence. A quality management system 
depends on the involvement of competent people and the way that they are introduced and 
integrated into the organization. It is critical to determine, develop and evaluate the knowledge, 
skills, behaviour and work environment required. 


— 18010019 Guidelines for the selection of quality management system consultants and use of their services 
provides guidance for the selection of quality management system consultants and the use of their 
services. It gives guidance on the process for evaluating the competence of a quality management 
system consultant and provides confidence that the organization's needs and expectations for the 
consultant's services will be met. 


— [SO 19011 Guidelines for auditing management systems provides guidance on the management of an 
audit programme, on the planning and conducting of an audit of a management system, as well as 
on the competence and evaluation of an auditor and an audit team. ISO 19011 is intended to apply to 
auditors, organizations implementing management systems, and organizations needing to conduct 
audits of management systems. 


Table B.1 — Relationship between other International Standards on quality management and 
quality management systems and the clauses of this International Standard 


Other Interna- Clause in this International Standard 
tional Standard 6 7 


ISO 9000 

ISO 9004 

ISO 10001 
ISO 10002 
ISO 10003 
ISO 10004 
ISO 10005 
ISO 10006 
ISO 10007 
ISO 10008 
ISO 10012 
ISO/TR 10013 
ISO 10014 
ISO 10015 
ISO/TR 10017 
ISO 10018 
ISO 10019 


NOTE “All” indicates that all the subclauses in the specific clause of this International Standard are related to the other 
International Standard. 
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